In Technology We Trust? Three Reasons Why That’s Not EnoughSecurity maturity involves more than new technology By: Gopan Sivasankaran
Cybersecurity professionals do love a 3-part acronym. We've got CIA (Confidentiality, Integrity, Availability, the slightly less catchy if just as important VAD (Visibility, Accountability, Defense-in-Depth) and APT (Advanced Persistent Threats). Now I've got a new one for you – PPP. That's People, Process and Product - otherwise known as People, Process and Technology. Today, I'm going to be telling you about why, for many organizations, placing too much focus on just one of those 'P's is a mistake that they could easily avoid.
Those organizations often state that they are investing heavily in information security. That's great but the problem arises when that investment is too heavily weighted towards Product, or security technologies, at the expense of the other two 'P's.
Product vendors don't have a problem with this – that's why they keep releasing 'next-generation' products – and there's nothing wrong with having the latest product versions. But to get the best out of investment in those products, we must place at least equal weight on People and Process.
Three Key Reasons – Security Immaturity, Technology Trust and Lack of Security Resource
How did we get to this situation?
While organizational awareness of security has undoubtedly improved over the decade I've been in security, there are still three key reasons for this skewed focus: immaturity, technology trust and lack of resource. Let's look at them in turn and see how we can turn them round.
First, immaturity. Of course, here I mean information security immaturity, something that by no means correlates with or is caused by organizational size. In addition, immaturity and trust in technology are closely related in many ways and as we'll see, lack of resourcing feeds into this relationship too.
While this may be starting to change at the CISO level in some organizations, many information security professionals are technical in focus. Often, they move into information security from the IT function. It's natural that they love technology, new products, and new software. That can lead to all those 'next-gen' products and tools being deployed and regularly updated. Yet all too often, this product resourcing is not matched by people them or process planning. From the organizational perspective, technology alone simply cannot solve every security problem.
Moving Towards Security Maturity
Analysts have shown that the amount of money being spent on incident response is rising. This trend is set to continue. But what does that tell you? It implies that there's a high perceived risk of being the victim of an incident. That suggests that the technologies that claim to prevent security incidents aren't seen as effective.
But it's not the products that are the problem. Many of them are excellent. It's the attitude and approach to the products that organizations take that indicates their level of security maturity.
An organization that believes that using technology alone to fight security threats will protect it entirely is not a mature organization in the security sense. It's time that organizations accept that it's not a matter of 'if', it's all about 'when' a breach will happen. What indicates a mature attitude is asking how fast they will be able to detect it. The global average for an incident going unnoticed is still nearly 21 weeks – and acting fast takes people and process.
Trust Is Not Enough
Simply trusting that a system such as the latest SIEM (Security Information and Event Management) will do the job isn't enough. You need to nurture the SIEM. You need people who can write correlation rules that make sense. You need people to monitor the outputs and you need the right processes. When a SIEM implementation fails, it's not because the technology was inferior, it's because the people and processes weren't in place.
To make progress, there must be processes around: Change management, monitoring, incident response and more. I've come across organizations who allow changes to be made to firewall rules without any form of change tracking. There are organizations who haven't allocated responsibilities for actions during an incident.
Are your processes documented, tested, and in place?
Lack of Security Resources
All too often, this comes down to the third factor: Resourcing. Today there is zero unemployment in security. None. There are as few as one qualified candidate for every 20 roles advertised. As a result, retaining talent is a herculean task.
With such high demand, security administrators often take the training they receive in one job and within a short period of time, use their developed skills to better opportunities from outside organizations struggling to retain their own talent. Security is a complex challenge that, at its core, requires highly-skilled professionals to maintain the integrity and success of the program.
A Balanced Security Approach
We started this post by asking how companies got into the position of focusing too heavily on product at the expense of people and process. Without enough people, it's difficult to staff the process and so technology becomes a more predominant part of an organization's security investment.
So what should you do if you want to move to a more mature approach to information security? How do you attract and retain the talent needed? Ultimately, how do you rebalance the 3 Ps?
In this case, it is valuable to seek out help from third-party experts who can fill in the process and people gaps. Evaluate your current state of security and risk profile and develop a deeper understanding about how far that is from your security goals. Cybersecurity cannot focus exclusively on simply updating products each year. In the face of an ever-evolving threat landscape, you need to balance your approach, acknowledging that incidents will happen and that you must be prepared to meet these challenges before they occur. Strengthen the human firewall, continue to update your reviewing process and make sure that you are ready to rapidly detect and remediate advanced and evasive threats. This output, covering all 3 Ps, is the basis of your security roadmap.
For many organizations, that's a lot to ask to do this all at once and for many, the resourcing question may pose a real barrier.
Here, a managed security service partner will be able to act as an extended arm of your information security team, supplying skills such as incident response that are extremely difficult to fill in-house.
Then, once you get your 3 Ps covered, the next step is threat intelligence, the fourth dimension that gives you a 360-degree coverage of your information security posture.